SAN FRANCISCO (AP) — An alarming lapse in Internet security has exposedmillions of passwords, credit card numbers and other sensitive bits ofinformation to potential theft by computer hackers who may have beensecretly exploiting the problem before its discovery.

Security researchers who uncovered the threat, known as "Heartbleed,"are particularly worried about the breach because it went undetected formore than two years.

Although there is now a way to close the security hole, there are stillplenty of reasons to be concerned, said David Chartier, CEO ofCodenomicon. A small team from the Finnish security firm diagnosedHeartbleed while working independently from another GoogleInc. researcher who also discovered the threat.

"I don't think anyone that had been using this technology is in aposition to definitively say they weren't compromised," Charier said.

Chartier and other computer security experts are advising people toconsider changing all their online passwords.

"I would change every password everywhere because it's possiblesomething was sniffed out," said Wolfgang Kandek, chief technologyofficer for Qualys, a maker of security-analysis software. "You don'tknow because an attack wouldn't have left a distinct footprint."

But changing the passwords won't do any good, these experts said, untilthe affected services install the software released Monday to fix theproblem. That puts the onus on the Internet services affected byHeartbleed to alert their users to the potential risks and let them knowwhen the Heartbleed fix has been installed so they can change theirpasswords.

"This is going to be difficult for the average guy in the streets tounderstand, because it's hard to know who has done what and what issafe," Chartier said.

Yahoo Inc., which boasts more than 800 million users worldwide, is amongthe Internet services that could be potentially hurt by Heartbleed. TheSunnyvale, Calif., company said most of its most popular services —including sports, finance and Tumblr — had been fixed, but work wasstill being done on other products that it didn't identify in astatement Tuesday.

"We're focused on providing the most secure experience possible for ourusers worldwide and are continuously working to protect our users'data," Yahoo said.

Heartbleed creates an opening in SSL/TLS, an encryption technologymarked by the small, closed padlock and "https:" on Web browsers tosignify that traffic is secure. The flaw makes it possible to snoop onInternet traffic even if the padlock had been closed. Interlopers couldalso grab the keys for deciphering encrypted data without the websiteowners knowing the theft had occurred, according to securityresearchers.

The problem affects only the variant of SSL/TLS known as OpenSSL, butthat happens to be one of the most common on the Internet.

About two-thirds of Web servers rely on OpenSSL, Chartier said. Thatmeans the information passing through hundreds of thousands of websitescould be vulnerable, despite the protection offered byencryptions. Beside emails and chats, OpenSSL is also used to securevirtual private networks, which are used by employees to connect withcorporate networks seeking to shield confidential information fromprying eyes.

Heartbleed exposed a weakness in encryption at the same time that majorInternet services such as Yahoo, Google, Microsoft and Facebook areexpanding their usage of technology to reassure the users about thesanctity of their personal data. The additional security measures arebeing adopted in response to mounting concerns about theU.S. government's surveillance of online activities and othercommunications. The snooping has been revealed during the past 10 monthsthrough a series of leaked documents from former NSA contractor EdwardSnowden.

Despite the worries raised by Heartbleed, Codenomicon said many largeconsumer sites aren't likely to be affected because of their"conservative choice" of equipment and software. "Ironically, smallerand more progressive services or those who have upgraded to (the) latestand best encryption will be affected most," the security firm said in ablog post.

Although it may take months for smaller websites to install theHeartbleed fix, Chartier predicted all the major Internet services willact quickly to protect their reputations.

In a Tuesday post announcing it had installed the Heartbleed fix, Tumblroffered its users some blunt advice.

"This still means that the little lock icon (HTTPS) we all trusted tokeep our passwords, personal emails, and credit cards safe, was actuallymaking all that private information accessible to anyone who knew aboutthe exploit," Tumblr said. "This might be a good day to call in sick andtake some time to change your passwords everywhere — especially yourhigh-security services like email, file storage, and banking, which mayhave been compromised by this bug."

Post by Thad Floryanhttp://www.sfgate.com/business/technology/article/Passwords-vulnerable-after-security-flaw-found-5386933.php"I would change every password everywhere because it's possiblesomething was sniffed out," said Wolfgang Kandek, chief technologyofficer for Qualys, a maker of security-analysis software. "You don'tknow because an attack wouldn't have left a distinct footprint."

This is the worst part of the vulnerability.

Post by Thad FloryanBut changing the passwords won't do any good, these experts said, untilthe affected services install the software released Monday to fix theproblem. That puts the onus on the Internet services affected byHeartbleed to alert their users to the potential risks and let them knowwhen the Heartbleed fix has been installed so they can change theirpasswords.

...no, actually, *this* is the worst part. We're going to have to waitfor every single service provider to tell us when their servers aresecure and up to date before changing anything, and in the meantime ourcurrent passwords are sitting there waiting to be eaten. In fact it's*worse* to log in now, even to change the password, because thelikelihood that the server has expired our password from our previouslogin is high, especially for a high-traffic site. But if we log innow, our creds will be fresh in the service's cache, ripe for theeavesdropping.

Post by Thad FloryanThe problem affects only the variant of SSL/TLS known as OpenSSL, butthat happens to be one of the most common on the Internet.

..actually, *this* might be the worst part, because people are going toblame all open source software for the problem, and start downgradingback to Windows in reaction.

Post by Thad FloryanBeside emails and chats, OpenSSL is also used to securevirtual private networks, which are used by employees to connect withcorporate networks seeking to shield confidential information fromprying eyes.

Fortunately for many of us, OpenSSH is not vulnerable, because it doesnot use SSL/TLS.

Post by Keith Keller..actually, *this* might be the worst part, because people are going toblame all open source software for the problem, and start downgradingback to Windows in reaction.

But the thing about paying a company rather than relying on open source isthat the company is liable for errors and omissions and can be successfullysued, or at least be compelled to fix the problem. Good luck doing thatwith open source.

Post by David KayeBut the thing about paying a company rather than relying on open source isthat the company is liable for errors and omissions and can be successfullysued, or at least be compelled to fix the problem. Good luck doing thatwith open source.

Good luck extracting damages from Yahoo after they've exposed yourpasswords.

THAT was my point, and it's not just your kicking boy, Yahoo, either. Whenyou pay for something the seller enters into a contract saying that whatthey're selling you is fit for use. When they give you something for free,there is no such contract, so there is no liability.

Oh, and the contracts that say that a particular piece of software is notlicensed "for any particular purpose" was bogus from the start. Companiesthought that it somehow protected them because they weren't offering, say,an accounting program as an accounting program, so don't blame them if itdoesn't work right. Nonsense, said the courts. You market the thing as anaccounting program and the customer buys it, assuming that it's anaccounting program. The contract wording is invalid.

But open source code is different. Everybody enters the door knowing thatthe code is publicly available, and thus might get hacked. People THINKthat coders are all honest and that they're all going to check each other'swork and keep malware out of the code. Hardly. Nobody is going to sit downand analyze millions of lines of code unless they're being paid for it, andeven then there will be errors and omissions.

I had no idea that use of open source for encryption was so widespread. I'dhave told anybody who would listen that this was a STOOPID idea.

Heck, where is that piece of code with the if/then/elses in it that left off1 line of code and failed to throw an error message, allowing people to getin? The code was barely more than a dozen lines and went undetected foryears -- and it was gateway code, not some arcane encryption code buriedsomewhere.

THAT was my point, and it's not just your kicking boy, Yahoo, either. Whenyou pay for something the seller enters into a contract saying that whatthey're selling you is fit for use. When they give you something for free,there is no such contract, so there is no liability.

You've clearly missed my point, which is that you will never see thesedamages. Either you will lose your suit, or you'll get a $10 giftcertificate from a class action. You certainly won't get protectionfrom crackers who have stolen your credentials.

Post by David KayeI had no idea that use of open source for encryption was so widespread. I'dhave told anybody who would listen that this was a STOOPID idea.

It's so true! Let's use commercial encryption, so we can suffer fromthe goto fail bug instead.

Post by Keith KellerYou've clearly missed my point, which is that you will never see thesedamages. Either you will lose your suit, or you'll get a $10 giftcertificate from a class action. You certainly won't get protectionfrom crackers who have stolen your credentials.

MY SUIT? Obviously you don't know how to read. I have no intention ofsuing anybody. And I don't expect for my email to be private, if for noother reason than that the email providers (especially Google) look over theemails in order to target ads. Thus, if a person gets targeted email, thereis a file being save somewhere that indicates the person's interests andpossibly a lot of other information.

Post by Steve PopeThe theory is that if your encryption code is open-source,then a wide range of experts (both cryptographers and softwareengineers) can examine it for correctness.

Well, yes, except that the code is so massive that nobody is going to sitdown without pay and go through all the routines and the callbacks andwhatnot to see what the code is doing. When I wrote software it was about20% writing code and 80% bug testing. Bug testing is not glamorous, andthere are not many people who are going to sit there and debug unless theycan make a good amount of money doing so.

Post by Steve PopeThe theory is that if your encryption code is open-source,then a wide range of experts (both cryptographers and softwareengineers) can examine it for correctness.

Well, yes, except that the code is so massive that nobody is going to sitdown without pay and go through all the routines and the callbacks andwhatnot to see what the code is doing. When I wrote software it was about20% writing code and 80% bug testing. Bug testing is not glamorous, andthere are not many people who are going to sit there and debug unless theycan make a good amount of money doing so.

Post by Steve PopeSome of the commentary over the last few days that I agree withis that open-source software seems to be associated with anabandonment of normal levels of software quality control and testing.

Coders want to do the zen stuff: coding. They don't want to do thedebugging unless they get paid for it.

Post by Steve PopeSome of the commentary over the last few days that I agree withis that open-source software seems to be associated with anabandonment of normal levels of software quality control and testing.

Coders want to do the zen stuff: coding. They don't want to do thedebugging unless they get paid for it.

I have friends who worked at Microsoft and have great war tales of thecoding there. For instance they would need a function for something andthe coder would write a Swiss Army knife routine which did WAY too muchwhen all was needed was a simple routine.

One thing that always pissed me off about some proprietary and opensource SDKs were the example code. The author of the example wasobviously showing off to get his next gig and I would have to unwind hiscode to just get the basic stuff I needed. On one proprietary embeddedplatform the guy had C++ jumping between several files when a one fileexample would have been ample.

This was also a problem I complained about with the Google Androidexamples. Fortunately we have programmers with blogs who unwound theexamples (not to mention long winded documentation which was just anunedited engineer dump).

One thing I liked about the MSDN was that someone mandated SIMPLEconcise examples. It was probably a bunch of cranky Microsoft engineersnot willing to unwind incomprehensible code.

Post by Mike StumpActually, it isn't a stoopid idea. You just don't realize thebenefits of it...

Oh, the wishful thinking is that it's free and that there is all this groupwisdom coming into play that will make things better. Well, Firefox is theresult of such a group collaboration and look at what a bloated mess itbecame.

Post by David KayeOh, the wishful thinking is that it's free and that there is all this groupwisdom coming into play that will make things better. Well, Firefox is theresult of such a group collaboration and look at what a bloated mess itbecame.

But bloated mess describes soo much software on the planet. :-)

I do wish we got more value for the bloat, but, the bloat seems tohave diminishing returns. 2* the code, 1/8* added benefit.

Post by David KayeOh, the wishful thinking is that it's free and that there is all this groupwisdom coming into play that will make things better. Well, Firefox is theresult of such a group collaboration and look at what a bloated mess itbecame.

But bloated mess describes soo much software on the planet. :-)I do wish we got more value for the bloat, but, the bloat seems tohave diminishing returns. 2* the code, 1/8* added benefit.

My friend who worked at Microsoft was high level on the Visual Studioproject. They got a lot of programming candidates, fresh out of college,who really didn't know how to code but just let the IDE build the codefor them. You see a lot of this nowadays.

I wanted to become familiar with Unity 3D. So I took one of my 1980ssmall 2D games and used Unity's new 2D library. It was small as a webapplication but for Android it made a 10 MB file which expanded toaround 20 MB when installed. Android coders complained about that asmost of the bloat was the Unity library.

So I tried a version with the open source AndGame Engine which wound upbeing a little over 1 MB (most of that was graphics and audio). I alsohad some fun making an HTML5 version using Javascript.

Post by Thad FloryanSecurity researchers who uncovered the threat, known as "Heartbleed,"are particularly worried about the breach because it went undetected formore than two years.

So much for open source being a panacea.

Bingo!

Anyone who believes there are millions of extra eyes perusingand poring over every line of open source code are dreamingand deluding themselves.

If anyone, it's the criminal hackers who are reading the codeto determine how it can be exploited for financial gain and/orfor fun -- I doubt the exploits are the result of an errantmouse click on a GUI.

Post by Roy2) Someone has to have sniffed your data stream during the security exchangeIf you didn't use Wifi, someone has to have tapped the physical wires ordivereted traffic like the NSA).

This is absolutely and completely not true. The whole point of thevulnerability, and why it's so awful, is that an attacker can gainaccess to the process' memory simply by sending carefully craftedheartbeat packets to the service. An attacker does *not* need anyspecial physical access whatsoever. To quote heartbleed.com:

"The Heartbleed bug allows anyone on the Internet to read the memory ofthe systems protected by the vulnerable versions of the OpenSSLsoftware."

The exchange does *not* need to be sniffed in transit: if the daemonstill has your credentials in memory, they are available to attackers.

Post by Thad Floryanhttp://www.sfgate.com/business/technology/article/Passwords-vulnerable-after-security-flaw-found-5386933.phpBy MICHAEL LIEDTKE and ANICK JESDANUN, AP Technology Writers7:01 pm, Tuesday, April 8, 2014SAN FRANCISCO (AP) — An alarming lapse in Internet security has exposedmillions of passwords, credit card numbers and other sensitive bits ofinformation to potential theft by computer hackers who may have beensecretly exploiting the problem before its discovery.

<snip>

We're headed for a time that the Internet will be become completelyunusable because of things like this. Something that the elite wouldlove to see happen as they hate us peeing on their arrogance with ourcomments about them.

Post by BhairituWe're headed for a time that the Internet will be become completelyunusable because of things like this.

For a while, I was collecting all the various reasons that theinternet will roll over and die. Every new innovation has producedprediction of imminent doom. File sharing, spam, kiddie porn raids,IP video, etc have all had their attendent doomsday prophets. Internet2 was suppose to clean up the mess and start over. It didn't. Noneof them will happen because the topology and capacity of the internetis amazingly versatile and flexible. At best, what you'll see out ofthis are various forms of secondary security, like rolling code numbergenerators, X.509 certificates on USB things, and maybe one-timepassword generators. However, that will only happen once the victimsof Heart Bleed start to appear, which so far, I've seen none.

Post by BhairituWe're headed for a time that the Internet will be become completelyunusable because of things like this. Something that the elite would loveto see happen as they hate us peeing on their arrogance with our commentsabout them.

Huh? The elite would like nothing better than to eliminate as many jobs asthey can via automation. This is why there is no job growth in America; theelite are encouraging people to shop online and bucking any legislationrequiring them to pay sales taxes, etc.

Post by BhairituWe're headed for a time that the Internet will be become completelyunusable because of things like this. Something that the elite would loveto see happen as they hate us peeing on their arrogance with our commentsabout them.

Huh? The elite would like nothing better than to eliminate as many jobs asthey can via automation. This is why there is no job growth in America; theelite are encouraging people to shop online and bucking any legislationrequiring them to pay sales taxes, etc.

So now is the time for the guaranteed minumum income. ;-)

Yes, I agree that the elite have a problem because they too make moneyoff the Internet.

Post by BhairituWe're headed for a time that the Internet will be become completelyunusable because of things like this.

:-) You must be new around here... Are you so naive as to actuallybelieve that? Or put another way, the net's, the internet's immanentdeath is upon us, always has been, always will be. Each year, weclose half the distance to total destruction.

Post by BhairituWe're headed for a time that the Internet will be become completelyunusable because of things like this.

:-) You must be new around here... Are you so naive as to actuallybelieve that? Or put another way, the net's, the internet's immanentdeath is upon us, always has been, always will be. Each year, weclose half the distance to total destruction.

LOL! Hardly, pal. I've been coding for over 30 years. Used pre-InternetCompuServe, BIX, Genie and most of that to be in a remote location andget information like I was in Silicon Valley way back in the 1980s. IfI had packed up six months after buying my first computer in 1983 andcome down here I would have had a job in days. I didn't know that untilin the 1990s I was the technical director at a major Bay Area gamecompany and found how difficult it was to find people with theappropriate knowledge.